From c725fa2e2967a0df0dbb6c9299c44a9448a5a9ba Mon Sep 17 00:00:00 2001 From: Luca Filipozzi Date: Sat, 4 Jan 2014 03:09:13 +0000 Subject: [PATCH] ensure that links and hashes are properly created --- modules/ssl/manifests/init.pp | 127 +++++++++++++++++----------------- 1 file changed, 64 insertions(+), 63 deletions(-) diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp index e8d68a4f..c9fbbf36 100644 --- a/modules/ssl/manifests/init.pp +++ b/modules/ssl/manifests/init.pp @@ -1,70 +1,69 @@ class ssl { - package { - 'openssl': - ensure => installed, - ; - 'ssl-cert': - ensure => installed, - ; - 'ca-certificates': - ensure => installed, - ; + $cacert = 'mozilla/UTN_USERFirst_Hardware_Root_CA.crt' + $caconf = '/etc/ca-certificates.conf' + + package { 'openssl': + ensure => installed, + } + package { 'ssl-cert': + ensure => installed, + } + package { 'ca-certificates': + ensure => installed, } file { '/etc/ssl/servicecerts': - ensure => directory, - mode => '0755', - purge => true, - recurse => true, - force => true, - source => 'puppet:///modules/ssl/servicecerts/', - notify => Exec['make_new_service_links'] + ensure => directory, + source => 'puppet:///modules/ssl/servicecerts/', + mode => '0644', + purge => true, + recurse => true, + force => true, + notify => Exec['refresh_debian_links'], } - file { '/etc/ssl/debian': - ensure => directory, - mode => '0755', - purge => true, - recurse => true, - force => true, - source => 'puppet:///files/empty/' + ensure => directory, + source => 'puppet:///files/empty/', + mode => '0644', + purge => true, + recurse => true, + force => true, } file { '/etc/ssl/debian/certs': - ensure => directory, - mode => '0755', + ensure => directory, + mode => '0755', } file { '/etc/ssl/debian/crls': - ensure => directory, - mode => '0755', + ensure => directory, + mode => '0755', } file { '/etc/ssl/debian/keys': - ensure => directory, - group => ssl-cert, - mode => '0750', + ensure => directory, + mode => '0750', + group => ssl-cert, require => Package['ssl-cert'], } file { '/etc/ssl/debian/certs/thishost.crt': - source => "puppet:///modules/ssl/clientcerts/${::fqdn}.client.crt", - notify => Exec['c_rehash /etc/ssl/debian/certs'], + source => "puppet:///modules/ssl/clientcerts/${::fqdn}.client.crt", + notify => Exec['refresh_debian_hashes'], } file { '/etc/ssl/debian/keys/thishost.key': - source => "puppet:///modules/ssl/clientcerts/${::fqdn}.key", - mode => '0440', + source => "puppet:///modules/ssl/clientcerts/${::fqdn}.key", + mode => '0440', group => ssl-cert, require => Package['ssl-cert'], } file { '/etc/ssl/debian/certs/ca.crt': - source => 'puppet:///modules/ssl/clientcerts/ca.crt', - notify => Exec['c_rehash /etc/ssl/debian/certs'], + source => 'puppet:///modules/ssl/clientcerts/ca.crt', + notify => Exec['refresh_debian_hashes'], } file { '/etc/ssl/debian/crls/ca.crl': source => 'puppet:///modules/ssl/clientcerts/ca.crl', } - file { '/etc/ssl/debian/certs/thishost-server.crt': source => "puppet:///modules/exim/certs/${::fqdn}.crt", - notify => Exec['c_rehash /etc/ssl/debian/certs'], + notify => Exec['refresh_debian_hashes'], } file { '/etc/ssl/debian/keys/thishost-server.key': source => "puppet:///modules/exim/certs/${::fqdn}.key", @@ -73,37 +72,39 @@ class ssl { require => Package['ssl-cert'], } - exec { 'make_new_service_links': - command => 'cp -f --symbolic-link ../servicecerts/* .', + exec { 'refresh_debian_links': + command => 'cp -f -s ../servicecerts/* .', cwd => '/etc/ssl/certs', refreshonly => true, - notify => Exec['cleanup_dead_links'] + notify => Exec['delete_unused_links'], } - - exec { 'cleanup_dead_links': - command => 'find -L /etc/ssl/certs -mindepth 1 -maxdepth 1 -type l -delete', + exec { 'delete_unused_links': + command => 'find -L . -mindepth 1 -maxdepth 1 -type l -delete', + cwd => '/etc/ssl/certs', refreshonly => true, - notify => Exec['c_rehash /etc/ssl/certs'] + notify => Exec['refresh_normal_hashes'], # see NOTE 1 } - - exec { 'c_rehash /etc/ssl/certs': - refreshonly => true, + exec { 'modify_configuration': + command => "sed -i -e 's#!${cacert}#${cacert}' ${caconf}", + onlyif => "grep -Fqx '!${cacert}' ${caconf}", + notify => Exec['refresh_normal_hashes'], + require => Package['ca-certificates'], } - - exec { 'c_rehash /etc/ssl/debian/certs': + exec { 'refresh_debian_hashes': + command => '/usr/bin/c_rehash .', + cwd => '/etc/ssl/debian/certs', refreshonly => true, - } - - exec { 'modify_ca_certificates_conf': - command => 'sed -i -e \'s#!mozilla/UTN_USERFirst_Hardware_Root_CA.crt#mozilla/UTN_USERFirst_Hardware_Root_CA.crt#\' /etc/ca-certificates.conf', - cwd => '/etc/ssl/certs', - onlyif => 'grep -Fqx \'!mozilla/UTN_USERFirst_Hardware_Root_CA.crt\' /etc/ca-certificates.conf', - notify => Exec['update_ca_certificates'] - } - exec { 'update_ca_certificates': - command => '/usr/sbin/update-ca-certificates', - cwd => '/etc/ssl/certs', - refreshonly => true + require => Package['openssl'] + } + exec { 'refresh_normal_hashes': + # NOTE 1: always use update-ca-certificates to manage hashes in + # /etc/ssl/certs otherwise /etc/ssl/ca-certificates.crt will + # get a hash overriding the hash that would have been generated + # for another certificate ... which is problem, comrade + # NOTE 2: always ask update-ca-certificates to freshen (-f) the links + command => '/usr/sbin/update-ca-certificates -f', + refreshonly => true, + require => Package['ca-certificates'], } } -- 2.39.2